Abstract: The disclosed computer-implemented method for detecting illegitimate voice calls may include (1) identifying an incoming voice call, (2) processing the incoming voice call in real time by (a) segmenting the incoming voice call into progressively produced call segments and, (b) for each new segment as the progressively produced call segments are produced, (A) extracting a set of features from the new segment and (B) feeding, as input into a neural network, the set of features and an output from the neural network generated based on a preceding segment of the incoming voice call, thereby generating a new output representing the current likelihood that the incoming voice call is illegitimate, (3) determining that the likelihood that the incoming voice call is illegitimate is above a predetermined threshold, and (4) performing a security action during the incoming voice call. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for performing security actions based on people's actual reactions to interactions may include (i) detecting an interaction (e.g., an interaction with a digital communication) of a monitored person (e.g., a child), (ii) estimating the monitored person's expected reaction to the interaction, (iii) using contemporaneous sensor data to estimate the monitored person's actual reaction to the interaction, and (iv) performing a security action based at least in part on a comparison of the monitored person's expected reaction and the monitored person's actual reaction. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for detecting anomalies that are potentially indicative of malicious attacks may include (1) identifying a sequence of activities performed on a computing device, (2) calculating a cumulative influence score between pairs of activities in the sequence of activities through convolution of the sequence of activities, (3) detecting an anomaly that is potentially indicative of a malicious attack based on a comparison of the cumulative influence score and an expected threshold for a user of the computing device, and (4) in response to detecting the anomaly, performing a security action. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for preventing targeted malware attacks may include (1) identifying at least one candidate risk factor for targets of previous targeted malware attacks that were directed to the targets based on characteristics of the targets, (2) calculating a degree of association between the candidate risk factor and the previous targeted malware attacks by comparing rates of targeted malware attacks between a group that possesses the risk factor and a group that does not possess the risk factor, (3) identifying a candidate target of a targeted malware attack that possesses the candidate risk factor, and (4) adjusting a security policy assigned to the candidate target of the targeted malware attack based on the calculated degree of association between the candidate risk factor and the previous targeted malware attacks. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for automatically adjusting user access permissions based on beacon proximity may include (1) identifying a network-enabled device that is attempting to access a network resource that is protected by a security policy, where the security policy identifies an access level at which one or more devices may access the network resource when the devices are within range of the short-range wireless signal from the secure beacon, (2) determining that the network-enabled device is within range of the short-range wireless signal from the secure beacon, and (3) establishing, according to the security policy, the access level at which the network-enabled device is allowed to access the network resource based at least in part on the network-enabled device being within range of the short-range wireless signal. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting transactional message sequences that are obscured in multicast communications may include (i) collecting a sequence of messages that were distributed on a communication channel and that include an obscured cyclic sequence of request-response messages that are interleaved in the sequence of messages, (ii) constructing a sequence graph from the sequence of messages by (a) adding, for each unique message identifier in the sequence of messages, a node to represent the unique message identifier and (b) adding, for each unique sequence transition in the sequence of messages from an immediately-preceding message to an immediately-succeeding message, an edge to connect the nodes that represent the identifiers of the unique sequence transition's immediately-preceding and immediately-succeeding messages, (iii) traversing the sequence graph to discover the obscured cyclic sequence of request-response messages, and (iv) performing a security action.

Abstract: The disclosed computer-implemented method for detecting security blind spots may include (i) detecting, via an endpoint security program, a threat incident at a set of client machines associated with a security vendor server, (ii) obtaining an indication of how the set of client machines will respond to the detecting of the threat incident, (iii) predicting how a model set of client machines would respond to the threat incident, (iv) determining that a delta exceeds a security threshold, and (v) performing a security action by the security vendor server, in response to determining that the delta exceeds the security threshold, to protect the set of client machines at least in part by electronically notifying the set of client machines of information about the prediction of how the model set of client machines would respond to the threat incident. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for whitelisting file clusters in connection with trusted software packages may include (1) identifying a trusted file cluster that includes a set of clean files, (2) identifying an additional file cluster that includes a set of additional files that typically co-exist with the set of clean files included in the trusted file cluster on computing systems, (3) determining that the trusted file cluster and the additional file cluster represent portions of a single trusted software package, and then, in response to determining that the trusted file cluster and the additional file cluster represent portions of the single trusted software package, (4) merging the trusted file cluster and the additional file cluster into a merged file cluster and (5) whitelisting the merged file cluster. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for determining sandbox configurations for malware analysis is described. In one embodiment, the method may include receiving a plurality of files, extracting at least one element from at least one file from the plurality of files, identifying one or more properties associated with an endpoint, determining a correlation between the at least one extracted element and the one or more properties of the endpoint, and determining one or more sandbox configurations based at least in part on the determined correlation. In some cases, the endpoint is related to at least one of the plurality of files.

Abstract: A method for identifying malware is provided. The method includes performing a static analysis of a plurality of files and for each file of the plurality of files, determining in the static analysis whether the file includes an application programming interface (API). For each file, of the plurality of files, found to have an application programming interface, the method includes determining in the static analysis whether the application programming interface is proper in the file and alerting regarding an improper application programming interface when found in one of the plurality of files. A scanner for detecting malware is also provided.

Abstract: The disclosed computer-implemented method for digitally enforcing computer parental controls may include (i) identifying a parental-control policy that controls a user's computer usage in some way, (ii) determining that the user is using a primary device, which is configured to restrict its usage according to the terms of the parental-control policy, to access a secondary device, which is not configured to restrict its usage according to the terms of the parental-control policy, and (iii) restricting, in response to the determination, the user's access to the secondary device according to the terms of the parental-control policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for data loss prevention of unidentifiable and unsupported object types may include (1) monitoring, through at least one filter, data input to an application during execution, (2) scanning, through a data loss prevention scanner, the data input to the application to detect whether the data includes sensitive data that is protected by a data loss prevention policy, (3) flagging, based on the scanning, the application as having accessed the sensitive data that is protected by the data loss prevention policy, (4) detecting that the application is requesting to output a data object in a format that obscures underlying content, and (5) performing, by a data loss prevention program, a remedial action to prevent loss of the sensitive data based on both flagging the application and detecting that the application is requesting to output the data object in the format that obscures underlying content.

Abstract: A computer-implemented method for provisioning cyber security simulation exercises may include (1) maintaining, at a data center level for a data center including a multitude of nodes, a cyber security simulation template that defines a resource configuration for a cyber security simulation exercise in which a participant executes a security attack within a contained network environment to educate the participant about cyber security, (2) detecting an indication to place a user session of the cyber security simulation exercise within the data center to enable the participant to perform the cyber security simulation exercise, and (3) dynamically allocating, by an autonomous and centralized data center allocation agent in response to detecting the indication, a pool of resources at a node within the data center to the user session to enable the participant to perform the cyber security simulation exercise. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying suspicious singleton files using correlational predictors may include (1) identifying a set of known-clean computing devices that include no singleton files, (2) detecting at least one software component that is installed on a threshold number of the known-clean computing devices, (3) identifying an unvindicated computing device whose infection status is unknown, (4) determining that, in addition to being installed on the threshold number of known-clean computing devices, the software component is installed on the unvindicated computing device, (5) determining that the unvindicated computing device includes at least one singleton file, and then (6) classifying the singleton file as suspicious in response to determining that (A) the software component is installed on the unvindicated computing device and (B) the unvindicated computing device includes the singleton file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Telemetry data concerning multiple samples convicted as malware by different endpoints is tracked over time. During a period of time in which telemetry data concerning convicted samples are tracked, specific samples can be convicted multiple times, both on a single endpoint and/or on multiple endpoints. The tracked telemetry data concerning the convicted samples is analyzed, and data that is indicative of false positives is identified. Convictions of samples can be exonerated as false positives, based on the results of analyzing the tracked telemetry data. More specifically, multiple data points from the tracked telemetry data that comprise evidence of false positives can be quantified and weighted. Where the evidence of false positives exceeds a given threshold, convictions of a given sample can be exonerated.

Abstract: The disclosed computer-implemented method for classifying files may include (i) identifying a point in time before which there is a non-zero probability that at least one file within a group of files has been classified by a security system, (ii) identifying, within the group of files, a file with a timestamp that indicates the file was created or modified before the point in time, (iii) assign, based on the timestamp of the file, a classification to the file that indicates the file is not trusted, and (iv) perform, by the security system, a security action based on the classification of the file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting exploit-kit landing pages may include detecting an attempt to access a web page via a computing device. The web page may be an unknown landing page of an exploit kit that includes a script that may be used by the exploit kit to access attributes of the computing device that may be used by the exploit kit to select suitable exploit code for compromising the computing device. The disclosed computer-implemented method may further include (1) monitoring one or more behaviors of the script, (2) detecting an attempt by the script to access an attribute of the computing device, (3) determining, based on the attempt to access the attribute, that the web page is likely a landing page of the exploit kit, and (4) performing a security action in response to the determination. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for managing cloud based applications is described. In one embodiment, the method includes detecting initiation of an application, detecting an action performed relative to the application, capturing the data associated with the detected action before the application encrypts the at least portion of the data, analyzing the captured data, and applying a network management policy to a packet flow based at least in part on the analyzing the captured data. In some cases, the application is configured to encrypt at least a portion of data associated with the detected action.

Abstract: Indirect access control is performed between a requestor computing device and a requestee computing device. Peer data is transmitted from the requestor to the requestee that asserts that the requestor is trusted by a peer computing device. It is verified that the requestor has a first degree of trust with the peer. Next degree peer data is received from the peer that asserts that the peer is trusted by a next degree peer computing device. It is verified that the peer has a next degree of trust with the next degree peer. A trust score is calculated for the requestor based on the verification of the peer data and the next degree peer data, and an access level is granted to the requestor based on the trust score.

Abstract: Techniques for predicting and protecting spearphishing targets are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for predicting and protecting spearphishing targets. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify one or more potential spearphishing targets based on information from an organization, receive additional information associated with the one or more potential spearphishing targets and the organization from publicly available sources, determine a threat level of a spearphishing attack on the one or more potential spearphishing targets based on the information from the organization and the additional information, and generate a report of the one or more potential spearphishing targets and the threat level associated with the one or more potential spearphishing targets.